Privacy Policy
Effective: April 2026
IRIS5 is operated by Paideia Gamma (“PGC”, “we”, “us”). We take the privacy of schools and their data extremely seriously. This policy explains what data we collect, how we use it, and how we protect it.
1. Data we collect
We collect only the data necessary to deliver the IRIS5 diagnostic service:
- Account information— your name and email address, used to create and manage your account.
- School profile data— information about your school (name, type, enrolment figures) entered during the audit process.
- Questionnaire responses— your answers across the five diagnostic dimensions. These are stored to enable the diagnostic service and generate your results.
- Uploaded documents(deep audit only) — documents you upload for AI-assisted analysis.
2. Document handling
Documents uploaded for deep audits are processed by AI for analysis purposes only. The original files are permanently deleted immediately after processing. We never store your documents beyond the time required for analysis, and they are never used for AI model training or shared with third parties.
What we retain is the extracted analysis used to build your report — metrics, key facts, and short supporting quotes from your documents. This analysis remains part of your audit results until you clear your uploaded documents or delete the audit or your account, at which point it is deleted too. Deleted records may persist in our encrypted database backups for up to 7 days before those backups expire; backups are never used for any purpose other than disaster recovery. (Backups never contain your original documents — those are never written to the database at all.)
3. Questionnaire responses
Your questionnaire responses are stored securely and tied to your school account. This data is used solely to generate your diagnostic results, scoring, and recommendations. You can delete this data at any time by deleting your account.
4. Aggregate benchmarking
Completed audits contribute to anonymised statistical aggregates only — counts and sums used for peer benchmarking. No individual school data is retained in the benchmarking dataset. It is not possible to identify any individual school from the aggregate data.
5. Cookies
We use a minimal number of essential cookies to operate the platform. For full details, see our Cookie Policy.
6. Third-party services
We use a small number of trusted third-party services to operate IRIS5:
- Stripe— for payment processing. We do not store your card details; all payment data is handled directly by Stripe under their Privacy Policy.
- Anthropic— for the AI analysis itself. During a deep audit, document content is processed by Anthropic’s Claude API in the United States under a data processing agreement. Anthropic does not use this data to train AI models and retains API inputs only for a limited period. See their Privacy Policy.
- Supabase— for database hosting, hosted in the EU (Ireland, eu-west-1).
- Vercel— for application hosting, served from the EU (Paris).
- Resend— for transactional email (verification, password-reset, and sign-in codes).
- Upstash— for request rate-limiting, hosted in the EU (Ireland). Holds only short-lived technical metadata (such as IP addresses) — never school data or documents.
7. Data location
Everything IRIS5 stores lives in the European Union: the database in Ireland (eu-west-1) and the application in Paris. Your account data, questionnaire responses, and diagnostic results never sit on servers outside the EU.
One category of processing happens outside the EU: during a deep audit, document content is sent to Anthropic’s Claude API in the United States for the analysis itself, under a data processing agreement — it is never used for model training and is retained by Anthropic only for a limited period. Transactional emails are delivered via Resend (US).
8. Your rights
You have the right to:
- Access the personal data we hold about you and your school.
- Correct any inaccurate account or school information.
- Delete your account and all associated data.
9. Account deletion
You can delete your account at any time via the Settings page. Deleting your account permanently removes all associated data, including your school profile and questionnaire responses. Deleted records may persist in encrypted disaster-recovery backups for up to 7 days before expiring (see Section 2).
10. Marketing communications
We do not send marketing emails unless you have explicitly opted in. You can withdraw your consent at any time.
11. Changes to this policy
We may update this privacy policy from time to time. Any changes will be posted on this page with an updated effective date.
12. Contact
If you have questions about this privacy policy or how we handle your data, contact us at iris5@paideiagamma.com.
Paideia Gamma — www.paideiagamma.com
Paideia Gamma